Does my business need a Data Privacy Impact Assessment?
As the GDPR edges ever closer, time is running out for businesses to achieve compliance before the financial penalties kick in. Our MD Andrew recently shared his compliance expertise with the Manchester Business Post and explained why the DPIA is one test that shouldn’t be missed.
You can read the article in full below…
The short answer to whether you should carry out a Data Privacy Impact Assessment, or DPIA, is undoubtedly yes.
But one-word responses are rarely enough to convince anyone to act, so that’s where the long answer comes in – identifying how and why your company uses personal data is the crucial first step to securing these procedures, so the importance of conducting a company-wide audit of existing processes should not be overlooked.
GDPR compliance
Before 25 May 2018, all businesses processing the personal data of EU citizens must be able to prove that how they gather, use and hold this information complies with the General Data Protection Regulation. Failure to do so could result in hefty financial penalties of up to £20million or 4% of annual turnover from the Information Commissioner’s Office (ICO) – so there’s a bit more than just a slap on the wrist to worry about!
To recap, the new regulations say that personal data must be:
- Processed lawfully, fairly and transparently
- Collected for specific, explicit and legitimate purposes
- Used adequately, relevantly and only when needed
- Correctly recorded and kept up to date
- Retained only for as long as necessary, and
- Protected with appropriate security measures.
Luckily, the Data Privacy Impact Assessment exists as a straightforward, independent means of identifying where the weaknesses in your data processes lie. As well as highlighting these vulnerabilities and flagging up any procedures that breach the GDPR, the assessment also provides you with clear action points for securing your systems and the documentation you need to prove that appropriate measures have been taken to achieve compliance.
The assessment
So, what is the actual purpose of a DPIA?
Acting as a review of systems already in place, an assessment will enable your business to review the risk level of its processes, relative to the security of personal data. As well as considering the privacy of this information, understanding the impact that data loss can have on an individual is a crucial step in working out what preventative actions should be taken.
Basically, a DPIA should provide you with clear written documentation of the following:
- All processes and operations within your company that deal with personal data
- A risk analysis relating to the ‘freedoms and rights of individuals’ (e.g. what damage could occur to an individual in the event of a personal data breach)
- The needs, proportionality and legal basis for your business gathering, using and holding this data
- Countermeasures that are needed to tackle identified risks
- What compliance processes are already in place, and
- The degree to which individuals have already been or can be informed of the above aspects.
All in all, a DPIA will give you the best possible idea of where your business stands on compliance, how far you have to go to reach it, and the path you need to take to get there. In other words, you may well find yourself lost without one – so what are you waiting for?
Q2Q provides bespoke Data Privacy Impact Assessments to suit the needs of any SME. To make a no-obligation enquiry about a DPIA, or to find out more about the range of GDPR services we offer, give us a call on 01524 581690.